iso 9001:2008 quality assurance assessment of defense ... · pdf fileiso 9001:2008 quality ......

Report No. DoDIG-2012-143 September 27, 2012

ISO 9001:2008 Quality Assurance Assessment of Defense Acquisition University Processes

Report Documentation Page Form ApprovedOMB No. 0704-0188

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.

1. REPORT DATE 27 SEP 2012 2. REPORT TYPE

3. DATES COVERED 00-00-2012 to 00-00-2012

4. TITLE AND SUBTITLE ISO 9001:2008 Quality Assurance Assessment of Defense AcquisitionUniversity Processes

5a. CONTRACT NUMBER

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S) 5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Inspector General of the Department of Defense,400 Army Navy Drive,Arlington,VA,22202-4704

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)

11. SPONSOR/MONITOR’S REPORT NUMBER(S)

12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited

13. SUPPLEMENTARY NOTES

14. ABSTRACT

15. SUBJECT TERMS

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as

Report (SAR)

18. NUMBEROF PAGES

65

19a. NAME OFRESPONSIBLE PERSON

a. REPORT unclassified

b. ABSTRACT unclassified

c. THIS PAGE unclassified

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Additional Information The Department of Defense Office of the Deputy Inspector General for Policy and Oversight prepared this report. If you have questions, contact the signer of the report.

Suggestions for Assessments To suggest ideas for or to request future reviews, contact the Office of the Deputy Inspector General for Policy and Oversight by phone (703) 602-1017 (DSN 602-1017), by fax (703) 604-8982, or by mail: Department of Defense Office of Inspector General Office of the Deputy Inspector General for Policy and Oversight 4800 Mark Center Drive (Suite 15K28) Alexandria, VA 22350-1500

Acronyms and Abbreviations DAU Defense Acquisition University IG Inspector General IS Information Systems MIPRs Military Interdepartmental Purchase Requests

INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE

ALEXANDRIA, VIRGINIA 22350-1500

SEP 2 7 2012

MEMORANDUM FOR ACTING PRESIDENT, DEFENSE ACQUISITION UNIVERSITY

SUBJECT: ISO 9001:2008 Quality Assurance Assessment of Defense Acquisition University Processes (Report No. DODIG-2012-143)

The subject assessment was started on January 27,2012 at the request of the former Defense Acquisition University President.

The DoD IG conducted a quality review of seven functional areas at the Defense Acquisition University (DAU) utilizing ISO 9001:2008 Quality Management System Requirements. The assessment did not uncover any material weakness in the process reviewed. The DoD IG did however identify two systemic issues concerning inadequate documented processes and procedures and inadequate internal training and documentation of the training. Once the opportunities for improvement noted in this report are implemented, DAU will have a more mature and robust process.

DoD Directive 7650.3 "Follow-up on General Accounting Office (GAO), DoD Inspector General (DoD IG), and Internal Audit Reports," requires that recommendation be resolved promptly. DAU concurred with the DOD IG recommendations made in the September 21, 2012 draft report. DAU indicated they will have all three recommendation fully implemented by September 30, 2013. Therefore, no additional comments are required.

We appreciate the courtesies extended to the staff. For additional information on this report, please contact Ms. Heather Simko at (703) 699-5498 (DSN 664-5498).

-~~ cc:

Deputy Inspector General Policy and Oversight

Director, Performance and Resource Management, DAU Director, Operations Support Group, DAU

Report No. DODIG-2012-143 September 27, 2012

i

Results in Brief: ISO 9001: 2008 Quality Assurance Assessment of Defense Acquisition University Processes

What We Did Our overall objective was to perform a quality review, using ISO 9001:2008 Quality Management System assessment techniques, of Defense Acquisition University (DAU) processes. We determined whether established practices and processes in each functional area were effectively implemented and maintained and whether process controls were adequate and identified organizational risks. We also determined the effectiveness of each process to identify areas needing improvement. We reviewed seven functional areas. At the completion each functional area review, we produced a status report that identified any findings or opportunities for improvement for DAU (Appendix B). The findings and opportunities for improvements identified in the status reports were used to identify the systemic issues cited in this report.

What We Found This assessment did not uncover any material weaknesses in the processes reviewed. However, opportunities for improvement were noted, which resulted in the DoD Inspector General (IG) identifying two systemic issues:

• Systemic Issue A. DAU internal processes and procedures were not fully documented. Also, DAU did not adequately diagram its process flows.

• Systemic Issue B. DAU did not have a robust training program in place for its internal processes. Also, DAU did not consistently track that individual users completed training for internal processes and systems.

What We Recommend The DoD IG recommends that DAU:

1. Document all the processes and procedures within the seven functional areas and reassess their validity a year after full implementation.

2. Review each process flowchart and standardize them across the university. 3. Review training on internal processes and procedures and track and document that all individual

users have completed the training.

Management Comments The Chief of Staff of the Defense Acquisition University accepted the two findings and concurs with all three recommendations.

ii

Table of Contents Introduction 1 Objectives 1 Background 1 Scope and Methodology 1 Summary of Results 1 Systemic Issue A. Inadequately Documented Procedures 2 Recommendations 2 Defense Acquisition University Response 2 DoD IG Response 3 Systemic Issue B. Inadequate Training and Documentation of Training 3 Recommendation 3 Defense Acquisition University Response 3 DoD IG Response 3 Conclusion 3 Appendices A. Scope and Methodology 4 B. Functional Area Reports and DAU Comments 5 Financial System Report 6 Contracting Process Report 19 Micro Purchases and Training Requisiton Report 29 Property Management, Supply Maintenance, Real Property Management and Facilities Maintenance Process Report 40 Information Technology Process Report 47

Management Comments 57

Introduction Objectives Our overall objective was to perform a quality review, using ISO 9001:2008 Quality Management System assessment techniques, of Defense Acquisition University (DAU) processes. We reviewed the processes within seven functional areas: Finance, Contracting, Micro-Purchases and Training Requisitions, Property Management, Real Property Management and Facilities Maintenance, Supply Management, and Information Systems (IS). We determined whether established practices and processes in each functional area were effectively implemented and maintained and whether process controls were adequate and identified organizational risks. We also determined the effectiveness of each process to identify areas needing improvement.

Background The DAU President requested that the DoD Deputy Inspector General (IG) of Policy and Oversight conduct an ISO 9001:2008 quality assessment of select functional areas and their processes. We started the subject assessment on January 27, 2012.

Scope and Methodology We conducted a quality review of the seven functional areas and their processes, based on ISO 9001:2008 Quality Management System Requirements, at the DAU administered by one of three groups: Performance and Resource Management (PRM), Operations Support Group (OSG), and Information Systems (IS). We conducted the reviews of Finance, Contracting, Micro-Purchases and Training Requisitions, and IS separately. We combined the areas of Property Management, Supply Management, and Real Property Management and Facilities Maintenance because they are all under the OSG. We produced a status report at the completion of each functional area review that identified any findings or opportunities for improvement for DAU. DAU had 30 days to review and comment on each status report. Appendix B of this report contains each report and DAU’s comments. The individual functional area reports outline the detailed methodology used to assess the processes in that area. This overarching report of the seven functional areas identifies only the systemic issues found.

Summary of Results During the course of this assessment, the team identified 3 findings and 30 opportunities for improvement, which resulted in 2 systemic issues. The three findings were identified during the review of the finance area. The three findings are:

1. Incoming Military Interdepartmental Purchase Requests (MIPRs) −DoD Regulation 7000.14, “DoD Financial Management Regulation,” and DoD Instruction 4000.19, “Interservice and Intragovernmental Support,” are not incorporated into DAU standard operating procedures.

2. Outgoing MIPRs−DoD Regulation 7000.14 and DoD Instruction 4000.19 are not incorporated into DAU standard operating procedure.

1

3. Change requests for the Standard Army Finance Information System are not implemented and do not allow for the period of performance to be included on the outgoing MIPRs processed through the electronic DAU Business Center.

See Appendix B for details of these findings and DAU’s plan to address each of the findings. The 30 opportunities for improvement consist of 2 in Finance; 4 in Contracting; 9 in Micro Purchases and Training Requisitions; 6 in Property Management, Real Property Management and Facilities Maintenance, and Supply Management; and 9 in IS. These opportunities for improvement are detailed in the status report for each functional area in Appendix B.

Systemic Issue A. Inadequately Documented Procedures Several of the processes within the seven functional areas were not fully documented. Many of the processes and procedural documents are in draft form or are currently being drafted. Also, the process flows for these processes are improperly or inadequately diagramed. For example, the process flows within the procedures did not clearly show the current process, decision points, alternate paths, or starting and stopping points. Examples of this were identified in each of the functional areas. The Federal Acquisition Regulation is the overarching criteria for the Finance functional area; however, DAU has no procedural documents for that area. DAU uses an automated system to process MIPRs and purchase and training requests; however, the process flowcharts used to document the process do not accurately show the process, which includes decision points and process variations. In addition, at the time of the assessment, the contracting process was in draft form and still being refined. Moreover, DAU has directives for Property Management and IS; however, the supplemental procedures were being written or were in draft form. See Appendix B for further details. It is a best business practice to document all procedures, even if those procedures are automated, for ease of training, knowledge transfer, process verification, and process improvement. It is also a best business practice to use standardized flowcharts when charting processes and information flow through a system.

Recommendations The DoD IG recommends that DAU:

1. Document all the processes and procedures within the seven functional areas and reassess their validity a year after full implementation.

2. Review each process flowchart and standardize them across the university.

Defense Acquisition University Response 1) DAU concurs with the recommendation and will have all processes and

procedures with the seven functional areas thoroughly and properly well documented no later than September 30, 2013.

2

2) DAU concurs with the recommendation and will review each process flowchart for standardization and consistency across the university no later than March 31, 2013.

DoD IG Response The DoD IG concurs with DAU’s plan of action in response to the two recommendations to improve their documented procedures. Systemic Issue B. Inadequate Training and Documentation of Training DAU did not have a robust training program for internal processes and the use of its electronic business systems. For example, for many of the process areas, no formal training was provided beyond an on-line slide presentation. However, DAU supplements the slides with one-on-one training in the use of the automated business systems. Also, DAU did not track whether individual users had successfully completed the on-line training or the supplemental training. Effective training and documentation of training is a best practice.

Recommendation 3. The DoD IG recommends that DAU review training on internal processes and

procedures and track and document that all individual users have completed the training.

Defense Acquisition University Response 3) DAU concurs with the recommendation and will review our training on internal

processes and procedures, and will track and document that all individual users have completed appropriate training by March 31, 2013

DoD IG Response

The DoD IG concurs with DAU’s plan of action in response to the recommendation to improve their internal training program.

Conclusion This assessment did not uncover any material weaknesses in the processes reviewed. However, many opportunities for improvement were noted that, when implemented, will result in more mature processes. DAU’s main weakness across all functional areas is the lack of documentation and training. Many of the process documents in each of the functional areas are still in draft form, have not been documented, or have not been fully implemented. Processes currently being used are meeting DAU’s needs; however, due to the immaturity of several of the process, this assessment should serve as a baseline for future assessments.

3

Appendix A. Scope and Methodology We conducted this technical assessment from January 2012 through August 2012 in accordance with the Council of the Inspectors General on Integrity and Efficiency, “Quality Standards for Inspection and Evaluation.” Those standards require that we plan and perform the assessment to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our assessment objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our assessment objectives.

Use of Computer-Processed Data We did not use computer-processed data to perform this assessment.

4

Appendix B. Functional Area Reports and DAU Comments

5

6


ALEXANDRIA, VIRGIN IA 22350- 1500

April24, 2012

MEMORANDUM FOR CHIEF OF STAFF, DEFENSE ACQUISITION UNIVERSITY

SUBJECT: Defense Acquisition University (DAU) Quality Assurance Process AssessmentFinancial Systems Report

We are issuing this status memorandum to inform you of the results of the Financial System Process Assessment conducted from January 27 - March 30, 2012 as part of the overarching Defense Acquisition University (DAU) ISO 9001:2008 Quality Assurance Process Assessment. The objective of this assessment was to determine whether established practices are being effectively implemented and maintained, verify that controls are adequate, assess the effectiveness of the process, and identify opportunities for improvement.

We assessed the effectiveness ofthe DAU Performance and Resource Management (PRM), which monitors and conducts all financial processes to include incoming and outgoing Military Interdepartmental Purchase Requests (MIPRs), purchase requisitions, and invoices. We identified internal control weaknesses in the DAU-PRM group's incoming and outgoing MIPR processes. DAU-PRM personnel did not complete Support Agreements and Determinations and Findings in accordance with Federal and DoD guidance. In addition, MIPRs did not specify the period of performance, as required. We did not identify internal control wealrnesses in the DAUPRM's purchase requisition and invoice processes. We identified opportunities for improvement in training the employees in the use of the DAU Business Center. These items are detailed further in the attached repmt .

Although we identified internal weaknesses and opportunities for improvement, they were limited in scope and did not affect the overall effectiveness of the processes. Consequently, we determined that the DAU-PRM personnel effectively control and monitor the financial process through the electronic DAU Business Center.

By May 25, 2012, please provide my office with the status of actions planned and taken in response to this memorandum. When we complete the full assessment, we will provide a final report that will include the results of this assessment and the seven remaining process areas and the overall effectiveness of the DAU processes.

7

Please direct questions or concerns regarding this memorandum and attached report to Ms. Heather Simko at (703) 699-5498, [email protected].

Af~~(_ Director

Teclmical Assessment Directorate

Attaclunent: Defense Acquisition University (DAU) Process Quality Assessment - Financial Process Report

cc: Director, Performance and Resource Management

8

Defense Acquisition University Process Quality Assessment - Financial Process Report

Objective Our overall objective was to perform a quality review, using ISO 9001:2008 Quality

Management System assessment techniques, of the Defense Acquisition University (DAU) financial processes managed by the Performance and Resource Management (DAU-PRM). Specifically, we examined incoming Military Interdepartmental Purchase Requests (MIPRs), outgoing MIPRs, invoices, and purchase requisitions to determine whether established practices were effectively implemented and maintained, process controls were adequate, and indentified organizational risks. We also determined the effectiveness of each process area to identify areas needing improvement.

Scope and Methodology We conducted a quality review of the financial processes, based on JSO 9001:2008 Quality Management System Requirements, at the DAU administered by DAU-PRM through the DAU electronic Business Center. Specifically, we reviewed the processes for incoming MIPRs,

outgoing MIPRs, purchase requisitions, and invoices. We interviewed DAU-PRM personnel to learn the processes used to execute these transactions. We developed review checklists, based on criteria established in the Defense Federal Acquisition Regulation Supplement (DF ARS), Federal Acquisition Regulation (FAR), DoD Financial Management Regulation (FMR), and DAU-PRM process flowchatts . We compared the actual DAU-PRM processes with the relevant criteria and flowcharts to assist in identifying wealmesses in internal controls. We reviewed incoming MIPRs, outgoing MIPRs, purchase requisitions, and invoices processed during fiscal years 2011 and 2012 (10 transactions per fiscal year). We reviewed 20 incoming MIPRs, valued at about $243,800, that the DAU received from other DoD and non-DoD sources. We also

reviewed 20 outgoing MIPRs, valued at about $5.7 million, that the DAU sent to other DoD and non-DoD sources. In addition, we reviewed purchase requisitions and invoices valued at $17,207 and $845,500, respectively. We requested and reviewed the suppmting documentation for each ofthese four financial areas. Specifically, we requested and reviewed the following: DD Form 448, "Military lnterdepa11mental Purchase Request," DD Form 448-2 "Acceptance of MIPR," Determinations and Findings, Supp011 Agreements, purchase requisitions, invoices, and

statements of work.

9

A. Incoming Military Interdepartmental Purchase Requests The DAU-PRM properly accepted incoming MIPRs within 30 days of receipt; ensured incoming MIPRs were authorized, and included a funds citation on the MIPR acceptance forms. However, DAU-PRM persmmel did not complete Support Agreements in accordance with DoD guidance when rendering requested suppmt to other DoD organizations. This occurred because DAUPRM personnel believed signatures on the DD Form 448 were sufficient and complied with DoD guidance. As a result, there is no documentation showing that the capabilities existed at DAU to render the suppmt without jeopardizing assigned missions.

Incoming MIPR Transactions During Fiscal Years 2011 and 2012 We reviewed 20 incoming MIPRs valued at about $243,800 that the DAU-PRM received from other DoD and governmental sources. Eighteen of the incoming MIPRs were from other DoD activities, and two were from non-DoD Federal activities.

I

MIPR Acceptance Overall, we found that the DAU-PRM accepted incoming MIPRs in a timely manner. Specifically, we found that 19 of the 20 incoming MIPRs were accepted within 30 days of receipt. DAU-PRM personnel are responsible for ensuring that MIPRs are properly accepted

within 30 days of receipt ofthe requesting activity' s MIPR request. DFARS 208.7004, "Coordinated Acquisition," revised April 19, 2011, states that acquiring activities formally accept a MIPR, as soon as practicable, but no later than 30 days after receipt of the DD Form 448. DAU-PRM personnel could not determine why one of the reviewed MlPRS was accepted after the 30-day requirement. The MIPR was submitted to DAU-PRM on July 29, 2011, and was accepted on September 1, 2011. DAU-PRM personnel stated that they did not receive the MIPR directly and this incoming MIPR transaction occurred prior to the activation of

the automated incoming MIPR process in their elech·onic Business Center system. All MIPRs are now processed through the electronic Business Center system.

MIPR Authorizations DAU-PRM finance personnel authorize incoming MIPRs through the electronic Business Center system after a review of DD Form 1144 or 448 or other funding documentation is completed. We found that the acceptances for a1120 incoming MIPRs were authorized.

Funds Citations DAU-PRM personnel are responsible for ensuring that fimds citations are included on DD Form 448-2, "Acceptance ofMIPRs." We found that all DD Forms 448-2 for the 20 incoming MIPRs included a funds citation. The DoD FMR, volume 11 A, chapter 3, states

10

that whether the order is on a reimbursable or direct cite basis, it is generally negotiated between

the two patties, and an Economy Act order should include a funds citation (either direct or

reimbursable). The incoming MIPRs processed by DAU-PRM were on a reimbursable basis.

Support Agreements We found that 16 of20 Suppmt Agreements (DD Form 114) were not completed in accordance

with the DoD FMR and DoD Instruction 4000.1 9. Specifically, we identified instances in which

blocks 8 and 9 ofDD Form 1144 were not properly completed. DD Forms 1144 were

incomplete because of the following reasons:

• No Approving Authority signature for the Supplying Component in section 8,

• The Comptroller from the Supplying Component did not sign section 8,

• No Approving Authority signature for the Receiving Component in section 9,

• The Receiving Component did not complete section 9, and

• The Comptroller from the Receiving Component did not sign section 9.

To support an interagency Economy Act order, the Federal Acquisition Regulation Subpart 17.5,

and the DoD FMR, volume 11A, chapter 3, require the agency to prepare a Determination and

Findings. A Determination and Finding states that the use of interagency support capabilities is

in the best interest of the Government and that the required goods, supplies, or services cannot be

obtained as conveniently or economically by contracting directly with a private source. For

interservice suppmt, DoD Instruction 4000.19 and DoD FMR, volume 11 A, chapter 3, state that

these determinations are accomplished by signing a Suppmt Agreement (blocks 8 and 9 on DD

Form 1144, "Suppmt Agreement").1 No further written detenninations are generally required for

agreements between DoD activities. Table 1 identifies the Suppmt Agreements that were

incomplete.

1 Block 8 is completed by the supplying component and block 9 is completed by the receiving component.

11

Table 1. Support Agreements Were Incomplete

MIPRNo.

SP10011101073

DWAM01302

N000241111P01037

MIPRILDACRQ019

H601 011 MPP0015

MIPR1KDATHR169

MIPR 1 HDAUQM206

MIPRIIOVH9LOOI

M954501211P00016

N659161211P07006

SP10011200068

MIPR0010115976

MlPR2ADA T12001

MIPR2ADA T12003

MIPR2BDATGM228

MIPR 1 KDAT06612

Recommendation

Block 8 on DD Form 1144 Was Completed

Yes No X

X X X X

X X X X

X X X

X X

X

X

We recommend that the Chief of Staff, DAU:

Block 9 on DD Form 1144 Was Completed Yes No

X X

X X

X

X X

X X

X X

X

X

X X

X

1. Direct DAU-PRM to develop and implement standard operating procedures that will incorporate the DoD Financial Management Regulation and DoD Instruction 4000.19 into the process for completing incoming Military Interdepartmental Purchase Requests and Suppmi

Agreements.

B. Outgoing Military Interdepartmental Purchase Requests The DAU- PRM properly approved outgoing MIPRs, ensured the MIPRs served a bona fide need, and identified the line of accounting on the MIPRs. However, DAU-PRM personnel did not always complete Determination and Findings and/or Support Agreements, and the MIPRs did not specify the period of performance. This occurred because DAU-PRM personnel misinterpreted DoD guidance and the system capabilities do not allow the period of perfmmance to be included on the MIPR. As a result, the DAU-PRM did not determine that the requested suppmi would be in the best interest of the U.S. Government and MIPRs were not processed in

accordance with DoD guidance.

12

Outgoing MIPR Transactions During Fiscal Years 2011 and 2012 We reviewed 20 outgoing MIPRs valued at about $5.7 million that DAU sent to other DoD and

governmental sources. Ten ofthe outgoing MIPRs were sent to other DoD activities and 10 were sent to non-DoD federal activities.

MIPR Approvals DAU-PRM is responsible for ensuring that it properly approves outgoing MIPRs. We found that the appropriate authority to procure the required goods approved all outgoing MIPRs.

Bona Fide Needs DAU-PRM is responsible for determining that MIPRs are in the best interest of the Government

and serve a bona fide need. The DAU-PRM issued all the MIPRs under the Economy Act or other statutory authorities and cited an annual or multiyear appropriation; therefore, the MIPRs were required to meet the Bona Fide Needs Rule. Section 1502 (a), title 31, United States Code, "Balances Available," October 11, 2005, also known as the Bona Fide Needs Rule, requires that the balance of an appropriation or fund limited for obligation to a definite period is available only for payment of expenses properly incuned during the period of availability, or to complete

contracts properly made within that period of availability. The DoD FMR, volume 11A, chapter 3, which incorporates the Bona Fide Needs Rule, requires Economy Act orders citing an annual or multiyear appropriation serve a need existing in the fiscal year for which the appropriation is available. We found that all MIPRs met the Bona Fide Needs Rule, the periods of performance were identified, and the appropriations used served a bona fide need arising, or existing, in the fiscal years for which the appropriations were available for obligation.

Line of Accounting We found that the line of accounting was identified on the outgoing MIPRs. DAU-PRM cited the funds to ensure that they were properly chargeable to the allotments stated in the MIPRs and the available balances of which were sufficient to cover the costs associated with the MIPRs.

Determination and Findings and Support Agreements We found that the DAU-PRM completed a Determination and Findings and/or Support Agreements for only 3 of the 20 MIPRs we reviewed. The head of the requiring activity must determine if it's in the best interest of the activity to request support from another agency. The manner in which the determination is made differs for agreements with DoD agencies and agreements with non-DoD agencies. FAR Subpart 17.5, "Interagency Acquisitions Under the Economy Act," and DoD FMR, volume 11A, chapter 3, "Economy Act Orders," April2000, require a Determination and Findings to suppmi each Economy Act order that uses interagency

support capabilities. To comply with the Determination and Findings requirements, the requesting agency should document that orders are in the best interest of the U.S. Govemment and that the Government cannot obtain the supplies and services as conveniently or economically

13

by contracting directly with a commercial enterprise. According to DoD Instruction 4000.19, the determinations are signified by signing a support agreement (blocks 8 and 9 on DO Form 1144). No

fUiiher written determinations are required for agreements between DoD activities. According to PRM personnel, they do not have Detennination and Findings for all outgoing MlPRs. For MIPRs sent to DoD activities (DoD to DoD), they believed they did not need to provide a

Determination and Findings in accordance with the DoD FMR, specifically, volume llA, chapter 3, section 0302, and paragraph 030202. For some of the MIPRs sent to non-DoD activities, there are no Determination and Findings. The DAU-PRM is enhancing its MlPR approval process to include a contracting office review to ascettain the necessity for a Determination and Findings on a case by case basis.

Period of Performance We found that 14 of the 20 MIPRs did not specify the period of performance as required by

DFARS. DFARS 253.208 requires that the agency clearly state the required period of performance in each MIPR, taking into consideration administrative lead times. In the 14 instances where the DD Form 448 did not specify the period of performance, we were able locate the information in the statement of work or on other provided documentation. According to DAU-PRM personnel, they do collect period of performance information; it is a required field on all outgoing MlPRs in their electronic Business Center process. However, the period of performance does not currently print on the MIPR. A system change request will need to be implemented for periods of performances to be printed on future outgoing MIPRs.

Recommendation We recommend that the Chief of Staff, DAU: 1. Direct DAU-PRM to develop and implement standard operating procedures that will

incorporate the DoD Financial Management Regulation, DoD Instruction 4000.19, and the Federal Acquisition Regulation into the process for completing outgoing Military Interdepartmental Purchase Requests, Determination and Findings, and Suppmt Agreements.

2. Ensure that change requests for the Standard Army Finance Information System are implemented and allow the period of perfonnance to be included on outgoing MIPRs processed through the electronic DAU Business Center.

C. Purchase Requisitions DAU-PRM processed purchase requisitions in accordance with its established guidance. We found that a supervisor, billing, finance, and buyer approved all 20 purchase requisitions that were reviewed. The purchase requisitions totaled $17,207. As part of the organization's internal financial controls, DAU~PRM instituted a purchase requisition process to help manage requests

14

for purchases. Requests for the creation of purchase of goods and services were documented and routed for approval within the organization.

D. Invoices Overall, invoices DAU-PRM were processed in accordance with Federal and DoD regulations. Of the 20 invoices that were reviewed, we found that aU were approved by the point of contact (POC) and most were paid within 30 days of receipt as required by the FAR and DoD FMR. We found that only 2 of the 20 invoices were not paid within 30 days ofDAU-PRM receiving the invoice. These two instances occmTed because these invoices were overlooked and not processed on time. Because these two invoices were not paid within 30 days of receipt, they were not paid

in accordance with the FAR and DoD FMR.

Invoices Received During Fiscal Years 2011 and 2012 We reviewed 20 invoices DAU-PRM received from contractors for services provided. The

invoices totaled about $845,500.

Invoice Approvals All invoices processed by DAU-PRM were approved by the POC. During the review of the

invoices, the POC can either approve (full or pmtial invoice amount), reject, or reroute the lllVOlCe.

Invoice Payments The majority of the invoices received by DAU-PRM were paid in a timely manner. We found that only 2 of the 20 invoices reviewed were not paid within 3 0 days of receipt. The FAR and DoD FMR state that the due date for making an invoice payment is the thiltieth day after the designated billing office receives a proper invoice from the contractor. According to DAU-PRM personnel, the two instances in which the payments for contract services were paid after the due date occurred because the invoices were overlooked and not processed on time. Both invoices were received on December 2, 2010, and payment for the invoices was submitted on January 10, 2011, even though the payments were due on January 1, 2011. The amounts due for the two invoices were $45,970 and $88,195. We did not consider the two instances material when compared to the 20 invoices we reviewed, which totaled $845,500.

E. DAU Electronic Business Center DAU uses an electronic Business Center managed by DAU-PRM for all of its financial transactions including incoming and outgoing MIPRs, purchase requisitions and invoices. This system automates all DAU financial business processes and incorporates all processes, procedures, and approval routing lists into the system. This automation reduces the DAU

15

documentation of its financial process to flowcharts of the process because all other documentation is incorporated into the system code. The process should be adequately documented, beyond flowcharts, to make sure the system is fimctioning properly and meeting the intent of overarching DAU and DoD policies and requirements.

The DAU electronic Business Center is enterprise wide and allows DAU employee easier access to financial process. Any DAU employee can access the system to process MIPRs, purchase

requisitions and invoices and to complete certain actions in each of the processes dependent upon their user role. DAU-PRM developed training for using the system and also provides on-the-job

training for using the system. However, system training is not mandatory for employees before they are granted access to the system and there is no tracking of which employees completed the training.

Opportunity for Improvement We suggest that the Chief of Staff, DAU:

1. Direct DAU-PRM to adequately document all process, beyond flowcharts, within the DAU Electronic Business Center.

2. Require employees to complete the training for the DAU Electronic Business Center before they are granted access to the system and PRM to track the employee training.

Conclusion We conducted a quality review of the financial processes, based on ISO 9001:2008 Quality Management System Requirements, at the DAU administered by DAU-PRM through its electronic Business Center. The DAU financial processes are sound and adequately meet the needs ofDAU. We found only minor issues during our review of the MIPR and invoice process,

which can be easily corrected. DAU-PRM's implementation of the electronic DAU Business Center incorporated all financial processes and procedures into a single system that has built-in reviews and simplifies the process for employees. However, due to the integration of the electronic system, only flowcharts- not formal written process and procedures of the process-exist because they are integrated into the system's programming. Overall, we found

that DAU should ensure all processes are adequately documented beyond process flowcharts and review its electronic system on a periodic basis to verify that the processes still meet overarching

DoD requirements.

17

Defense Acquisition University (DAU) Quality Assurance Process Assessment- Financial Systems Report

Finance - Recommendation and Opportunities for Improvement

Recommendations

1. DAU-PRM develops and implements standard operating procedures that will incorporate the DoD Financial Management Regulation and DoD Instruction 4000.19 into the process for completing incoming Military Interdepartmental Purchase Request and Support Agreements.

• DA U concurs with the recommendation and has instructed all appropriate budget personnel to no longer process a MIPR acceptance (DD448-2) before receiving a properly signed DD 1144 from the customer. Specifically, sections 8 and 9 of the DD Form 1144 must be properly annotated and signed. Additionally, DAU Directive 505 (Mission Assistance) and Faculty Professional Development (FPD) courses FPD 309 and 311 will be updated to re-emphasize the requirement to have these sections completed. We also included these controls into our Managers ' Internal Control Program.

2. DAU PRM develops anth-mplements-standard operating procedures-thatwii--l--1 1-ritwic:nontp"'TOTTt"aliF.====== tfiel)oiJFinancta 1\1anagement Regulation, DoD Instruction 4000.19, and the Federal Acquisition Regulation into the process for completing outgoing Military Interdepartmental Purchase Requests, Determinations and Findings, and Support Agreements.

• DA U concurs with this recommendation. TheDA U Director for Contracting and Logistics, Ms. Beth Nelson, has worked this issue with the host installation (Fort Belvoir Mission and Installation Contracting Command (MICC)) contracting office. MICC provided a template to be completed and attached as a Determination and Finding document for each outgoing MIPR to a non-DOD activity. For those non-DoD activities, PRMwill attach the requiredform.

3. DAU-PRM ensures that change requests for the Standard Army Finance Information System are implemented and allow the period of performance to be included on outgoing MIPRs processed through the electronic DAU Business Center.

Attachment

19


ALEXANDRiA, VlRGrNIA 22350-1 500

June 11 , 2012


SUBJECT: Defense Acquisition University Quality Assurance Process Assessment Contracting Process Report

We are issuing this status memorandum to inform you of the results of the Contracting Process Assessment conducted from Apri l 24 to May 21, 2012, as part of the overarching Defense Acquisition University (DAU) ISO 9001 :2008 Quality Assurance Process Assessment. The objectives of this assessment were to determine whether established practices were being effectively implemented and maintained, verify that controls were adequate, assess the effectiveness of the process, and identify opportunities for improvement.

We assessed the effectiveness of the DAU Operations Supp01t Group - Contracting and Logistics (OP-CL), which prepares purchase orders, coordinates contracting packages with Mission Installation Contract Command (MlCC), and monitors awarded contracts. We identified several opportunities for improvement in the DAU contracting process, which are detailed in the attached report. There are two notable areas for improvement. The first is automating and streamlining the process. Specifically, many functions are still done by e-mail, data must be manually entered into other systems that use the contract data, and documents are stored in a shmed drive folder with no defined structure. The second area for improvement is how contracts are processed through MICC. Currently, OP-CL does not have its own contracting officer; all official contracting actions are handled by MICC. OP-CL handles only the coordination of the contract between DAU personnel and MICC. Processing contracts tluough a separate agency slows down the execution of the contract and limits the control and visibi lity ofDAU during the contracting process, from request to award.

Although DAU OP-CL is following its internal procedure, the process can be improved by automation, consistent document control practices, and improved communication between its office and MICC. In addition, we determined that the overall execution of processing pmchase requests and contracts would be improved ifDAU had an internal contracting officer.

Please provide my office with the status of actions planned and taken in response to this memorandum by July 10, 2012. When we complete the full assessment, we will provide a final report on the results the assessment.

20

Please direct questions or concerns regarding this memorandum and attached report to .Ms. Heather Simko at (703) 699-5498, [email protected].

Director Teclmical Assessment Directorate

Attachment: As stated.


21

Defense Acquisition University Process Quality Assessment- Contracting Process Report

Objective Our overall objective was to perform a quality review, using ISO 9001:2008 Quality Management System assessment teclmiques, of the Defense Acquisition University (DAU) contracting processes managed by the Contracting and Logistics Department (OP-CL). Specifically, we examined the process flow based on DAU's documented Internal Contracting and Logistics Standard Operating Procedure (SOP) to determine whether established practices

were effectively implemented and maintained and whether process controls were adequate and identify organizational risks. We also detennined the effectiveness ofthe process to identify areas needing improvement.

Scope and Methodology We conducted a quality review of the contracting processes, based on ISO 9001 :2008 Quality Management System, at the DAU administered by DAU OP-CL. Specifically, we reviewed the requests for supplies and services, documentation retention, the DAU Business System, and

contract documentation requirements. We interviewed DAU OP-CL personnel to learn the processes used to execute these transactions. We developed review checldists, based on DAU's internal SOP. We compared OP-CL processes with the relevant criteria and flow charted the process to assist in identifying weaknesses in internal controls. We reviewed a sample of the 200 incoming requ~sts for service and product contmcts ranging from $3,000 to $500,000.

OP-CL Internal Process for Contracts (DAU to Mission Installation and Contracting Command [MICC]) All DAU requests for supplies and services are processed by the OP-CL within the specified lead time based on the contract or purchase order amount (see the table below).

Table. Pmcm·ement Acquisition Lead Time for Award of Contracts or Purchase Orde1·s

Amount Lead Time

$3,000 up to $25,000 Approxjmately 30-40 days

$25,00 l to $100,000 Approximately 60 days

$100,00 l to $500,000 Approximately 90 days

$500,001 and above Approximately 90-120 days

For 8a (does not have to be completed) requests and so le source (no competition): approximately 60-120 days based on the complexity of the project

22

OP-CL Internal Process Flow for Contracts DAU through MICC

Initia l request submitted to opcontract s@da u.mll

Receives Creates pending award folder

Em ails supporting dowments to MICC

Routes PR to PRM

Creates& submits PR In

Acqulllne

Forwards award copy to requestor, PRM, OP-CL Director, OP-CL Logistics If needed & save to OP-

Cl shared drlve

Generates PR number & updates PR log spreadsheet

Assigns to Specialist

OP-CL Internal Process Flow for Contracts: DAU through MICC

DAU employees, the customer, submit a procurement request (PR) to OP-CL through [email protected], with all the required supporting documents to be processed within a specified lead time (see the table). The OP-CL Director reviews the request then determines the

procurement type~labor or supplies/services. For labor requests, the PR is sent to the Human Resources Management Council (HRMC) for review. Once the request has been approved by HRMC (for labor requests) and the OP-CL Director, the PR will be assigned aPR number and an acquisition specialist. If the PR is denied, OP-CL will notify the customer.

The acquisition specialist is assigned to the request and after receiving the PR package, reviews it for compliance and verifies that all required documents are in the package. A typical PR package includes a Supply Requistion, Purchase Description(PD)/Statement of Work (SOW)/Performance Work Statement (PWS), and an Independent Government Cost Estimate

(IGCE). Additional documents may be required depending on the complexity of the PR. If additional documents are required, the acquisition specialist will work with the customer to produce those docwnents and verify all documents are accurate before submission to MICC.

23

A PR number is assigned and aPR log spreadsheet is generated. Once the PR package is complete, it is submitted in Acquiline, which routes it to Performance and Resource Management (PRM) for funding. Acquiline requires the acquisition specialist to enter each Contract Line Items (CLINS) individually. Concurrently, an e-mail containing the supporting documents is sent to MICC for action and the acquisition specialist creates a pending awards folder on the OP-CL shared drive.

The Mission Installation Contract Conunand (MICC) support the Soldier and their families tlu·ough the acquisition of goods and services vital to the Solder's mission and well-being. The MICC is responsible for planning, integrating, awarding, and administering contracts in support of A1my commands, direct reporting units, U.S Al·my North, and other organizations. The MICC at Ft. Bel vi or handles all contracts related to the turning of the base, its functions, and

conh·acting activities for the base residents.

The MICC does all contracting for DAU because DAU does not have a contracting officer. This significantly slows the process, as the acquisition specialist does not have direct contact with the contracting officer or contract specialist assigned to their PRs. Additionally, sending contracting

documents to a separate agency that is not familiar with DAU's mission can lead to unawarded contracts due to processing delays and lengthy turnaround times. In some cases, the PR pack~ges are not a priority because DAU is not an AJmy function. Once the MICC finalizes and awards the contract it is returned to tl1e DAU acquisition specialist to verify the accuracy of the contract and monitoring. Once approved, a copy of the award is forwarded to the requestor,

PRM, and the OP-CL Director by e-mail and is saved on the OP-CL shared drive in the appropriate "FY Contracts" folder. For contracts that include property items, OP-CL Logistics is notified by e-mail, so that the receiving department is alerted of any shipments. Lastly, the acquisition specialist creates and maintains funds/modification tracking excel spreadsheet on all contracts, which are stored in the OP-CL shared drive. A DAU Business System entry is also needed to route invoices to the designated contracting officer's representatives (CORs) for

review/approval.

Each contract requires a COR. Any DAU personnel can self-nominate to act as a COR for their PR, if they meet the required training and have a Nomination and Designation Letter. COR training includes two mandatory courses, DAU CLM 003 (Ethics Training for AT&L Workforce or Equivalent) and DAU CLC 106 (COR with a Mission Focus or Equivalent). The selfnomination letter and training celiificates are submitted through the Al·my Knowledge Online (AKO) ore-mailed to the MICC contract specialist who will verify that the person meets the COR criteria and will assign the person as COR to the contract through a letter of delegation. The COR is responsible for monitoring the contract and requesting contract modification, if needed. They request contract modifications through OP-CL who then fmwards the request to

24

the MICC for action. Cunently, OP-CL does not track COR training information and relies solely on MICC for verification. This could lead to DAU having improperly trained CORS tnonitoring their contracts, and the acquisition specialist processing actions from unapproved CORs. In addition, not tracking the required training is a poor business practice, which can lead to an improperly trained workforce.

Generally, all documents created dming the PR package process are maintained on the OP-CL shared drive and on acquisition specialist's own computer using their own file system. A hard copy of the contract is also stored in a designated file cabinet. While reviewing the shared drive,

we found the folder structure needed to be streamlined. The folder system was not intuitive; a primary "Contracts" folder was present, but additional folders were identified by fiscal year in addition to the primary "Contracts" folder. The acquisition specialists maintained separate systems on their own computers and the shared drive. Furthermore, the folder structure varied between the acquisition specialists maintaining them; there was no clear procedure for developing the file system on the shared drive. This could create confusion for a new member of the team or for DAU personnel not familiar with current folder structure. In tum, it makes the system difficult to audit and conduct a review of the contracts.

Opportunities for Improvement We reconunend that the Chief of Staff, DAU, require OP-CL to:

1. Structure the shared drive folders in accordance with the Internal Contracting and Logistics SOP.

2. Develop a lean process, automated system, or database for the various files and documents created during the process.

3. Obtaine their own Contraining Ot1icer dedicated to DAU contracts, which could streamline the process and reduce PR processing time.

4. Develop a process for tracking COR training.

Conclusion We conducted a quality review of the contracting processes, based on ISO 9001:2008 Quality Management System, at DAU Contracting and Logistics. We found minor issues during our review of their shared drive structure. However, it is clear the OP-CL could benefit from having an internal contracting officer or improved communication between their office and MICC. Overall we found DAU OP-CL procedures are adequately documented but results in a disjointed and scattered process.

26

Defense Acquisition University Quality Assurance Process AssessmentContracting Process Report

Contracting (4 Opportunities)

Opportunities for Improvement

I. Structure the shared drive folders in accordance with the Internal Contracting and Logistics SOP.

• DAU concurs with the recommendation. The Contracting Office (OP-CL) is in the process of reengineering their shared drive folders to comply with the Internal Contracting and Logistics SOP and will have this action completed by July 31, 2012.

2. Develop a lean process, automated system, or database for the various files and documents created during the process.

• DAU concurs with the recommendation. The Contracting Office (OP-CL) is in the process of reengineering their database and will have this action completed byJuly31, 2012.

3. Obtain their own Contracting Officer dedicated to DAU contracts, which could streamline the process and reduce PR processing time.

• DAU concurs with the recommendation of DO DIG with its desire to have a full time contracting officer. This action would require exception to policy from the Undersecretary of Defense for Acquisition, Technology and Logistics (AT&L) for DA U to have contracting authority and a warranted contracting officer. Due to the size of our contracting needs, it is not expected that this course of action will be acceptable to AT &L.

• Per AT&L Memorandum, dated September 18, 2009 (attached), all AT&L offices contracting support services responsibilities are directed to Washington Headquarters Services (WHS). Hence, DAU is not permitted by AT&L policy, directed in Memorandum from Dr. Carter to have its own contracting authority.

• Currently, DA U has a contracting assistance office under its Operations Department staffed with 1101 series personnel and augments support through the US Army Military Installation Contracting Command (MICC) on Ft Belvoir to process its purchase requests through its Contracting Authority. An interim Installation Services Support Agreement (ISSA) is in effect with DA U sustaining a Full Time Equivalent personnel to support DA U contracting needs. A formal ISSA is in review but will wait until formal contracting efforts with WHS are established

• DA U has contacted WHS for coordination to reestablish contracting support through their contracting office. Due to schedule conflicts, these conversations

Attachment

27

will begin during July and expect implementation of support directly through WHS by the beginning of FY13.

4. Develop a process for tracking COR training. • DA U concurs with the recommendation and has begun the process to track COR

training, certification and currency of certification. This action will be completed by July 31, 2012.

28

ACqUISITION, TECHNOLOGY AND LOGISTICS

THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON

WASHINGTON, DC 20301-3010

MEMORANDUM FOR USD(AT &L) DIRECT REPORTS

SEP 1 8 2009

SUBJECT: Pilot Program for Contracting Support for Acquisition, Technology and Logistics (AT&L) Offices

Since May 2004, OSD components have depended on a variety of other DoD offices and external agencies for contracting support. While this was done to provide flexibility to the DoD Components in the National Capitol Region, the resultant approach to contracting support slowed our ability to deliver best value business solutions for our mission needs.

Effective immediately, I am establishing a pilot program and assigning responsibility for AT&L's contracting support services to Washington Headquarters Services (WHS). WHS is well positioned to provide AT&L with dedicated contracting support. Alignment to a single contracting office will enhance our ability to deliver best value business solutions efficiently and effectively. It will result in a more disciplined and focused contracting process that will facilitate strategic sourcing, enhance portfolio transparency, improve acquisition planning, and enhance competition while strengthening and improving the contract management and oversight process. I have asked WHS to prepare to assume full responsibility for OSD contracting support over the next few years.

The Director, Acquisition Resources and Analysis (ARA), will continue as the administrative focal point for defining the requirements for AT &L contracts and will work with the Director, Defense Procurement and Acquisition Policy, and WHS to define mutual responsibilities, expectations, processes, and staffing requirements. WHS will assist each AT &L office to plan an orderly migration of its contracting portfolio. Migration plans shall consider migrating requirements at logical contract break points (e.g., at the completion of all contract option periods) to maximize program continuity. WHS support will be reimbursed until WHS is resourced for this new mission through existing budget processes. Contract services and migration efforts will begin immediately.

Thank you in advance for your support of this pilot program. My point of contact is Ms. Susan Hildner at 703-697-0895.

cc: Director, WHS

---· -----~---· ···--·-------

29


ALEXANDRIA, VfRGINIA 22350-1500

JUL 0 9 2012


SUBJECT: Defense Acquisition University (DAU) Quality Assurance Process AssessmentMicro Purchase and Training Requisition Report

We are issuing this status memorandum to infmm you of the results of Micro Purchase and Training Requisition Processes Assessment conducted from June 18- 29, 2012, as part of the overarching Defense Acquisition University (DAU) ISO 9001:2008 Quality Assurance Process Assessment. The objective of this assessment was to detennine whether established practices are being effectively implemented and maintained, verify that controls are adequate, assess the effectiveness of the process, and identify oppmtunities for improvement.

We assessed the effectiveness of the micro-purchase and training requisition processes, which are conducted through the DAU electronic Business Center. We identified several opportunities for improvement, which are detailed in the attached report. There are tlu·ee notable areas for improvement. The first is to develop separate h·aining materials for the micro-purchase requisition process and training requisition processes. There is cmTently one PowerPoint presentation for both micro-purchases and training requisitions and does not reflect other h·aining requisition process variations. The second area for improvement is how the process is documented via flowchart. Specifically, existing flow charts do not fully reflect the as-is processes. The last area for improvement is to reevaluate the overlap in roles and responsibilities of each approving official in the training requisition process to reduce cycle times and redundant tasks. More specifically, assess the need for overlap in validation checks between the supervisor, Dean/Director, and training officer.

We determined that the DAU effectively conh·ol and monitor the micro-purchase and training requisition processes tluough the electronic DAU Business Center. Although DAU is following its internal procedure, the process documentation and training materials can be improved to benefit end users.

By August 10, 2012, please provide my office with the status of actions planned and taken in response to this memorandum. When we complete the full assessment, we will provide a final report that will include the results of this assessment and the overall effectiveness of the DAU processes.

30


Director Technical Assessment Directorate

Attachment: Defense Acquisition University (DAU) Process Quality Assessment -Micro-Purchase and Training Requisition! Process Report


31

Quality Assessment of Defense Acquisition University's Micro-Purchase and Training Requisition Processes

Objective Our overall objective was to perform a quality review, using ISO 9001 :2008 Quality

Management System assessment teclu1iques, of the Defense Acquisition University (DAU)

micro-purchase and training requisition processes. Specifically, we examined process flows and

training materials based on DAU's documented Purchase Requisition and Training Requisition

Basic User Training to determine whether established practices were effectively implemented

and maintained and whether process controls were adequate and identified organizational risks.

We also determined the effectiveness of each process to identify areas needing improvement.

Scope and Methodology We conducted a quality review ofDAU processes, based on ISO 9001:2008 Quality

Management System Requirements, at the DAU administered by the Performance and Resource

Management (DAU-PRM) tlu·ough the DAU electronic Business Center. Specifically, we

reviewed the micro-purchase requisition and training requisition processes. We interviewed

DAU personnel to leam the processes used to execute these transactions and the roles and

responsibilities of all approving officials within the process. We developed review questions

based on training documentation and DAU process flowchmis. We reviewed and identified

misalignments between the process flowcharts and training materials given to DAU personnel.

We reviewed actual micro-purchase invoices and training requisition forms (Standard Fmms

[SFs] 182 and 1164), during fiscal year 2012. We reviewed three micro purchase invoices

valued at about $2,880 and 20 training requisitions valued at about $27,000. In addition, we

requested and reviewed data on the approval cycle times ofthe sample transactions in the DAU

Business Center.

A. Micro-Purchase Requisition As a part of the organization's internal financial controls, micro-purchase requests are initiated

tlu·ough the DAU Business Center, where a DAU employees are able to create, route, and track

all pmchase requests from the beginning to end of the process. The DAU defines the dollar

tlu·eshold for micro-pmchases as follows: Jess than $2,000 for construction, less than $2,500 for

services, and less than $3,000 for supp lies. For micro-pmchases from $3,000 to $25,000, the

procurement request must be competed on the General Services Administration (GSA) schedule.

On average, more than 500 micro-purchases per quarter or approximately 2,900 per year are

processed tlu·ough the DAU Busine~s Center system.

32

During the Finance Review, we found that a supervisor, billing official, finance, and buyer approved all20 purchase requisition samples totaling $17,207. Because the process for purchase requisition is identical to micro-purchases, we requested only three micro-purchase samples. After reviewing the micro-purchase samples, we found that a supervisor, billing official, finance, and buyer approved the purchases in accordance with the purchase requisition process flowchart (see Figure 1). However, we found that the process variation of competing micro-purchase procurements between $3,000 and $25,000 on the GSA schedule was not reflected in the process flowcharts or training documentation. We also found that the approval cycle times of the sample micro-purchase requisitions were timely and ranged from five to eight business days, which is well within the two to three week lead-time advisement provided by the DAU officials. However, we found that the training documentation does not provide a lead-time advisement.

Figure 1. DAU's Purchase Requisition Process Flowchart .

Purchase Requisition Process

Submit Purchase Request

f 11>$100.00 1

Supervisor Approval

APC = Account Processing Code

l ....................... l ................... ..J

i Billing Official ! Fin ance Approval

Can Ru outa-To: • APC J.f.>nogor • Funcrion~J Approver • · AnyU•er

!


IIAbovo Thrn hold

Amount

!

: •••••••• ••• ~,,, ,:·~~:·::urchuowith Credit Card

Buyer Approval

l Can Reroute To: -Ffn•nee ·.APC&f.>nager ·Funcrlon•J Approver • ·AnyUaer

i ! i

OR

Flnaneolssun Choek (W Chtek Roqulrtd)

1. Create training manual for purchase requisitions separate from the training requisition manual. Although both processes are executed in the DAU Business Center, users would be better served by separate manuals.

2. Include process variation of micro-purchase procurements competed on the GSA schedule in the purchase requisition process :flowchati and in the purchase requisition h·aining material.

3. Include lead-time advisement of two to three weeks in the purchase requisition training

material.

33

4. Improve the purchase requisition process flowchart. Flowchrut notation should properly

indicate beginning and end points, decision points, process vmiation, and responsible

actionee for every step in the process.

B. Training Requisition Training requests are initiated by the requester through the DAU Business Center system, which

routes and tracks all training requests throughout the process. DAU provided a process

flowchati for the training requisition process (see Figure 2), which begins with a DAU employee

submitting a training request in the DAU Business Center and moves the request through an

approval cycle with the supervisor, dean/director, billing official, finance, training officer, and

buyer. Each approving official receives an e-mail notification when they need to approve a

training request in the DAU Business Center. The system also generates Standard Forms (SFs)

182 and 1164 as required.

According to DAU, the typical approval cycle time for a training requisition is two weeks. Last

minute requests can be submitted by clicking the "Expedited" option in the system. For training

requests involving tuition assistance, a one-month lead time is advised due to an additional

approval step by the tuition assistance panel.

Figure 2. DAU's Training Requisition Process Flowchart

June 12,2008

Training SF 182 Requisition Process

finance M<-lcta r---:---..Re~nbonem.,. t-----, .j ,,.; tsF 11641

Fot Tu•lon A .. lslnnce UUIIIIO to HMdQIIo\II&IS

'"""~Ill OIIJCOI

Tr ;Mn .. I.Q COII~Jiete?

Tt.,luaoo Compltte? NNOICenm .. t

• TU/t/011 Ass/st.JJtCe atrorGOdays ·NCIII(Y CenitltBUOif/IPD atrer 10d•ys

34

Training Requisition Approvals The DAU team described the roles and responsibilities of each approving authority and their

criteria for approvals/rejections. Once a DAU employeesubmits a training request, the

supervisor validates the need for the requested training based on the requester's job function and

development plan. The Dean/Director validates the need for the training based on the requester's

job function and determines if there is training funds available. The Dean/Director also

determines how training funds are managed for each region. Finance Level 1 validates the need

for the training, determines if funds are available, and validates that the correct accounting code

is being used. The buyer validates that the training vendor is acceptable and makes the purchase.

The training official also validates the need for the training and checks that the vendor

acceptable. There is one training official for every DAU region.

Upon reviewing the twenty sample training requisitions valued at about $27,000, we found that

the approval cycle time ranged from one to fifty two business days (see Table 3.) Although we

found that all of the training requests in the sample set were approved prior to the training start

date, redundant checks by the various approving officials increased the approval cycle times.

Figure 3. Approval Cycle Times of Training Requisition Samples

Number Type Amount Approval Cycle Time (Business Days)

TR12001606 Tuition Assistance $2,250.00 52

TR12001697 Tuition Assistance $1,800.00 46

TR306712002131 Class $99.00 10

TR12002142 Conference $195.00 1

TRJ2001012 Class $296.00 5

TR12001263 Conference $1,575 .00 7

TRJ2002183 Class $950.00 6

TR12002163 Class $2,495.00 2

TR12002159 Class $2,495.00 2

TR12002113 Class $2,575.00 3

TR028912000794 Class $975.00 11

TR12001997 Class $945 .00 4

TR306712002137 Class $149.00 10

TR89391200l320 Class $5,150.00 26

TR028912000 I 22 Conference $1,395.00 12

TR028912000 142 Conference $275.00 31

TR893912001034 Class $199.00 8

TR740612001863 Conference $275 .00 7

TR740612001805 Class $1,050.00 5

TR740612001652 Class $1,965.00 11

35

Multi-Participant Training The DAU team provided clarification on the process flowchart for multiple-pmticipant training

versus individual training. When multiple patticipants m·e involved, the training officer is

notified manuaJJy. The training officer then inputs the training request in the DAU Business

Center system and follows the process depicted in the training requisition process flowchart.

Additionally, multiple-participant training requests do not require Dean/Director approval. We

found that process flowchart was not.Jabeled to indicate that the bottom flow in Figure 2 was for

multi-pmticipant training. We also found that instructions for multi-participant training requests

were not reflected in the training manual.

Tuition Assistance Another vm·iation of the training requisition process occurs when a DAU employee submits a

training request involving tuition assistance. In these cases, the request will go through the usual

training requisition process until the billing official gives approval. Once the billing official

gives approval, a panel consisting of the Chief Financial Officer, Chief of Staff, PRM Director,

Human Resources Learning and Development, Center Director for Budget, and the Finance

Level 2 Tuition Assistance Coordinator determines if the request is approved or rejected. This

panel meets three times a year and reviews all tuition assistance requests. All requests are

considered based on the requester's job function, development plan, and funding availability.

Requirements for tuition assistance include no more than two courses at a time per trainee and a

tuition assistance cap of $5,250 per calendar year per individual. After reviewing training

request samples involving tuition assistance, we found that the additional process step of the

tuition assistance panel was not reflected in the training requisition process flow or the training

materials.

Payment Methods There are four payment methods for h·aining requisitions: credit card payment by an authorized

DAU government credit card holder, check payment by an authorized DAU buyer, direct

reimbursement before training, and direct reimbursement after training. The DAU employee

selects a payment method when a training request is submitted in the DAU Business Center. The

majority of training requisitions are paid for by an authorized DAU govenunent credit card

holder. In the rare case that a vendor does not accept credit cards, a check payment will be

issued.

In the sample set, two tuition assistance requests were paid by an authorized DAU government

credit card holder. For these requests, the training officer commented that the requester must

purchase class materials and then submit an SF 1164 to receive direct reimbursement for the

class materials. We found that there was no guidance in the process flowchart or training

material for training requests, which require a combination of payment methods such as

government credit card for the training course and direct reimbursement for the associated course

materials.

36

Opportunity for Improvement We suggest that the Chief of Stan: DAU: 5. Reevaluate the overlap in roles and responsibilities of each approving official in the process

to reduce cycle times and redundant tasks. More specifically, assess the need for overlap in validation checks between the supervisor, Dean/Director, and training officer.

6. Update the process flowchatt and training materials to include information regarding the tuition assistance panel and tuition assistance course and dollar caps.

7. Update the process flowchatt and training materials to include information regarding multiparticipant training and that the process is manually initiated by submitting a request to their designated training official.

8. Update the training materials to include lead-time advancement of two weeks for training requisitions and one month for training requisitions involving tuition assistance.

9. Improve the training requisition process flowchart. Flowchart notation should properly indicate beginning and end points, decision points, process variation, and responsible

actionee for every step in the process.

Conclusion We conducted a quality review of the micro-purchase and training requisition processes, based

on ISO 9001:2008 Quality Management System Requirements, at the DAU administered by DAU-PRM through its electronic Business Center. The DAU micro-purchase requisition and training requisition processes are sound and adequately meet the needs ofDAU-PRM' s

implementation of the electronic DAU Business Center. DAU incorporated all requisition processes and procedures into a single system that has built-in reviews, simplifies the process for employees, and provides real-time status checks of all requisitions submitted in the system. However, we found that the process flowchruts and training materials do not reflect all of the process variations, requirements, and guidelines involved in the requisition processes. DAU should ensure that all processes are adequately documented beyond process flowcharts and review its electronic system on a periodic basis to verify that the processes still meet overarching DoD requirements.

38

Micro-purchase and Training Requests Opportunity for Improvement (9)

I. Create training manual for purchase requisitions separate from the training requisition manual. Although both processes are executed in the Defense Acquisition University's (D AU) Business Center, users would be better served by separate manuals.

• DA U concurs with the suggestion and will implement suggested actions by August 31, 2012.

2. Include process variation of micro-purchase procurements competed on the GSA schedule in the purchase requisition process t1owchart and in the purchase requisition training material.

• DA U concurs with the suggestion and will implement suggested actions by August 31, 2012.

3. Include lead-time advisement oftwo to three weeks in the purchase requisition training material.

• DA U concurs with the suggestion and has taken immediate action by posting the information on the DA U home page and will add the information into the training material by August 31, 2012.

4. Improve the purchase requisition process flowchart. Flowchart notation should properly indicate beginning and end points, decision points, process variation, and responsible actionee for every step in the process.

• DA U concurs with the suggestion and has taken immediate action to improve the flowchart as suggested.

5. Reevaluate the overlap in roles and responsibilities of each approving official in the process to reduce cycle times and redundant tasks. More specifically, assess the need for overlap in validation checks between the supervisor, dean/director, and training officer.

• DA U concurs with the suggestion and has evaluated the roles and responsibilities of each approving official. After car~ful assessment we have determined that our process is properly configured. Based on our assessment, no changes are necessary at this time.

6. Update the process flowchart and training materials to include information regarding the tuition assistance panel and tuition assistance course and dollar caps.

• DA U concurs with the suggestion and has taken immediate action by posting the information on the DA U home page and will add the information into the training materials by August 31, 2012.

Attachment

39

7. Update the process flowchart and training materials to include information regarding multi-participant training and that the process is manually initiated by submitting a request to their designated training official.

• DAU concurs with the suggestion and has taken immediate action to improve the flowchart and training materials as suggested, and we have posted both on our homepage.

8. Update the training materials to include lead-time advancement of two weeks for training requisitions and one month for training requisitions involving tuition assistance.

• DA U concurs with the suggestion and has taken immediate action. We wish to note that the training officer does provide advance notices through various DAU communication forums throughout the year (e.g., email announcements, "Spotlight" articles on the DA U home page, updates on the DAU Human Resource homepage, DAU All Hands meetings, DAU Annual Conference).

9. Improve the training requisition process flowchart. Flowchart notation should properly indicate begirming and end points, decision points, process variation, and responsible actionee for every step in the process.

• DAU concurs with the suggestion and has taken immediate action to improve the flowchart as suggested, and we have posted both on our home page.

40


ALEXAN DRI A, VIRGINIA 22350- 1500

AUG 0 2 2012


SUBJECT: Defense Acquisition University Quality Assurance Process Assessment - Property Management, Supply Maintenance, Real Property Management, and Facilities Maintenance Processes Report

We are issuing this status memorandum to inform you of the results of the Property Management, Supply Maintenance, Real Property Management, and Facilities Maintenance processes assessment conducted from July 16 to August 3, 2012, as part of the overarching Defense Acquisition University (DAU) ISO 900 l :2008 Quality Assurance Process Assessment. The objectives of this assessment were to determine whether established practices were being effectively implemented and maintained, verify that controls were adequate, assess the effectiveness of the processes, and identify opportunities for improvement.

This assessment focused on the effectiveness of the DAU Operations Support Group's Property Management, Supply Maintenance, Real Property Management, and Facilities Maintenance processes. We identified some opportunities for improvement in these processes, which are detailed in the attached report. Currently, DAU's governing criteria is DAU 314-1, "Property Accountability and Management Directive." We recommend that DAU finalize the draft DAU Logistical Operation Procedure for Property Management, which wi ll supplement DAU 314-1. Secondly, the accountable property office should designate a back-up accountable property officer when the primary officer is not available. Finally, we recommend that DAU formally document all processes that are tak ing place in these four areas to ensure knowledge transfer to current and new personnel.

Please provide my office with the status of actions platmed and taken in response to this memorandum by September 4, 2012. When we complete the full assessment, we will provide a final report.


~tf.u;·k_ Director Teclmical Assessment Directorate

Attachment: As stated

41

Quality Assessment of Defense Acquisition University's Property Management, Supply Maintenance, Real Property Management, and Facilities Maintenance Processes

Objective Our overa ll objective was to perform a quality review, using ISO 9001:2008 Quality

Management System assessment techniques, of the Defense Acquisition University (DAU)

Property Management, Supply Maintenance, Real Property Management, and Facili ties

Maintenance processes. Specifically, we examined DAU process flows, documentation, and

procedures to determine whether establ ished practices were effectively implemented and

maintained and whether process controls were adequate and identified organizational risks. We

also determined the effectiveness of each process to identify areas needing improvement.

Scope and Methodology We conducted a quality review of DAU processes, based on ISO 900 I :2008 Quality

Management System Requirements, at the DAU administered by the Operations Support Group.

This assessment focused on the review of the Property Management, Supply Maintenance, Real

Property Management, and Facilities Maintenance processes. We interviewed DAU pers01mel to

learn the processes in these areas and the roles and responsibilities of all approving officials

involved in the processes. We developed review questions based on directives and

documentation. We reviewed and identified undocumented processes that are being conducted

by DAU personnel.

A. Property Management DAU's governing criteria is the DAU 314-1, "Property Accountability and Management

Directive," which establishes policy, assigns responsibility, and provides procedures for the

management of and accountability for DAU-owned equipment. According to the directive, the

Defense Property Accountability System (DPAS) is the approved automated accountability

property system of record for DAU. DAU Directive 314-1 will be supplemented by a DAU

Logistical Operations Procedure, which is cmrently in draft. This procedure will detail the

procedures for ordering, receiving, issuing, transferring, repairing, replacing, donating, and

disposing ofDAU property. This procedure also details procedures for maintaining records and

conducting inventories.

DAU defines accountable properties as non-expendable items with an initial acquisition cost of

$5,000 or more, leased items of any value, pi lferable items, and information teclmology property

42

such as desktops, laptops, mobile devices, and data storage devices. According to the draft

Logistical Operations Procedure, DAU performs tlU'ee types of inventories: physical inventories,

change of property custodian inventories, and custom inventories. Physical inventories are

conducted arumally for all DAU-owned accountable property to ensure that items are properly

identified and accounted for in DPAS and are still in working, serviceable condition. A minimum of 98 percent accountability must be achieved for all inventories to meet agency and

DoD accountability standards. Change of property custodian inventory occurs when a property

custodian is replaced. Lastly, custom inventories are conducted on an as-needed basis when a

unique situation arises.

DAU headquarters employs one Accountable Property OHicer (APO) who is responsible for

implementing DAU Directive 314-1 and the DAU Logistical Operations Procedure. The APO is

responsible for coordinating transfer of accountable properties during personnel on-boarding,

off-boarding, and transfers with support from the Information Systems (IS)

Department and contractors. The APO is also responsible for conducting investigations when

property is lost, damaged, or destroyed clue to negligence. Lastly, the APO is required to

complete a !-week training course on DPAS and additional online training. The APO can also

attend refresher courses every quarter.


1. Complete the draft DAU Logistical Operation Procedure.

2. Develop an APO desk reference guide for the purposes of knowledge transfer to future

APOs. 3. Designate a backup APO should the primary be unavailable.

B. Supply Maintenance DAU headquarters personnel use theE-Store to replenish their supplies for common office items

such as pens, paper, and notebooks. The E-store was established 3 years ago for DAU

headquarters and is located in building 231. The maximum quantity for each item per visit is

five. For larger quantities, the request is tilled through the DAU electronic Business Center. In

emergency cases, an e-mail request can be sent to the head of Contracting and Logistics to

request the supplies from theE-store inventory. Once a request has been submitted, a

notification e-mail wil l be sent to the DAU personnel when the supply request is approved,

purchased, and ready for pickup. Requests submitted through the DAU electronic Business

Center ·will follow the standard Purchase Requisition process. There is no regularly scheduled

supply maintenance. Once theE-store personnel observe that stock is low, they place an order to

replenish the inventory through the purchase request process. New DAU pers01mel are trained

by their oftice administrator on how to request supplies thmugh the E-Store. DAU does not have

a standard operating procedure for theE-Store.

43

Opportunity for Improvement We suggest that the Chief ofStaff, DAU:

1. Create a documented standard operating procedure for the E-store to include instructions on

how to place supply orders.

C. Real Property Management Fort Belvoir Proper has 11 buildings onsite and four major regional sites. Additi"onally satellite

sites are leased through installation agreements; Patuxent River, MD; Los Angeles, CA;

Huntsville, AL; Kettering, OI-l; Chester, VA; and Aberdeen Proving Ground, MD. The DAU

Facility Board (DFB) determines moves and lease renewals during its bi-monthly meetings. The

DFB purpose is to evaluate, recommend, and reconcile DAU requirements for space and

resource requirements throughout the enterprise. The DFB sample slides provided insight on

topics discussed during the bi-monthly meetings to include total cost, design changes, move

details, available spaces, and open petitions. In addition, facility issues are brought up during the

leadership staff meetings. During our review of this section, we found no areas for

improvement.

D. Facilities Maintenance DAU facilities on Fort Belvoir campus are maintained through a public works contractor (DPW

Installation Support Services) that provides support to the entire base and its tenants.

Additionally, DAU has an in-house facilities maintenance team led by a Facilities Manager for

DAU buildings on Fort Belvoir. The in-house facilities maintenance handles service requests

such as major interior decorations, painting, air conditioning, and bug infestations. In general, at

least 90 percent of the maintenance needed is performed by the in-house faci lities maintenance

team while "major repairs" are performed by DPW-Installation Support Services. There is

currently no official defi nition of or guideline for what constitutes a "major repair." The DAU

Facilities Manager determines whether his team can perform the work or if DPW-Installation

Support Services needs to be called in.

DAU Headquarters and DAU South also appoint Building Mayors for each building. Building

Mayors coordinate service requests for their building with the Facilities Manager. For the most

part, records of maintenance are archived for only major service requests. DAU does not

currently have a standard operating procedure for their in-house facili ties maintenance.


1. Create a documented procedure for their in-house facilities maintenance processes and

maintain service records.

44

2. Create a guideline or agreement with the Installation on which repairs are allowed to be

addressed 'in-house' .

Conclusion We conducted a quality review of the Property Management, Supply Maintenance, Real Property

Management, and Facilities Maintenance processes, based on ISO 9001 :2008 Quality

Management System Requirements, at the DAU administered by the DAU Operations Support

Group. The DAU Property Management, Supply Maintenance, Real Property Management, and

Facilities Maintenance processes adequately meet the needs ofDAU. However, DAU lacks

formal documentation of its processes in·the Supply and Facilities Maintenance areas. DAU is

making progress in implementing the newly released DAU Directive 314-1. However, DAU

should require that all processes are adequately documented to ensure knowledge transfer to

current and new persmmel.

46

Defense Acquisition University Quality Assurance Process Assessmentl,ropcrty Management, Supply Maintenance, Real PJ'O}lel'ty Management,

and Facilities Maintenance Processes Report Six Opportunities for Improvement

A. Property Management 1. Complete the draft DAU Logistical Operation Procedure.

• DA U concurs with the suggestion and has completed the drqft Logistical Operation Procedure.

2. Develop an Accountable Property Officer (APO) desk reference guide for the purposes of knowledge transfer to fuh1re APO's.

• DAV concurs with the suggestion and has completed a dmft APO Desk Reference.

3. Designate a hackup APO should the primary be unavailable. • DAV concurs with the suggestion and has designated a backup APO.

R. Supply Maintenance 4. Create a documented standard operating procedure for the E-store to include instructions on how to place supply orders.

• DAU concurs with the suggestion and has completed a draft Standard Operating Procedure for the DA U E-St ore.

C. Real Property Management- there were no suggestions for this process area.

D. ll'ncilities Maintenance 5. Create a documented procedure for their in-house facilities maintenance processes and maintain service records.

• DA U concurs with the suggestion. H1e have established a new group email address in which work orders are to be submitted 111is new email account will allow all maintenance employees to see all requests. The DAU comtmmity has been advised of this new procedure. The Director of Maintenance, or his designee, will prioritize the requests and determine what can be accotnplished inhouse and which requests will be forwarded to the Fort Belvoir Department of Public Works. Also, all work orders will be saved in a separate folder on the DA U Network which is archived on a daily basis.

6. Create a guideline or agreement with the Installation on which repairs are allowed to be addressed 'in-house.'

• DA U concurs with the suggestion and plans to complete a guideline with the Installation on which repairs will be address "in-house" by October 31, 2012.

Attachment

47


ALEXAN DRIA, VIRGINIA 22350- 1500


SUBJECT: Defense Acquisition University Quality Assurance Process Assessment -Information Technology Process Report

AUG 0 6 2012

We are issuing this status memorandum to inform you of the results of the Information Teclmology Process Assessment conducted on July 18,2012, as part ofthe overarching Defense Acquisition University (DAU) ISO 9001:2008 Quality Assurance Process Assessment. The objectives of this assessment were to determine whether established practices were being effectively implemented and maintained, verify that controls were adequate, assess the effectiveness of the process, and identify opportunities for improvement.

We assessed the effectiveness ofthe DAU Information Technology (IT) processes, which included adherence to DAU Directives 303, "Information Systems Security," and DAU Directive 304, "Information Systems Usage," the Change Management process, and the Information Assurance process. We identified several opportunities for improvement within the DAU Change Management and Information Assurance processes, which are detailed in the attached report. These areas for improvement include maintaining training records, maintaining personnel lists, and tracking change requests. .

Overall, DAU is adhering to its internal procedure, but the process can be improved by implementing Information Assurance training, assigning specific people to Change Advisory Board (CAB) roles, and maintaining logs to track system changes. Most of these issues are slated to be resolved when DAU's new IT system and policies are implemented in September 2012. We recommend that DAU reassess the new IT system policies and procedures 1 year after implementation to gauge their effectiveness.

Please provide my office with the status of actions planned and taken in response to this memorandum by September 7, 2012. This report completes the DoD IG's assessment of the DAU functional areas. We will issue a final report identifying any systemic issues identified during the course of the process area assessments .

48


Technical Assessment Directorate

Attaclunent: As stated.

cc: Director, Operations Support Group

49

Process Quality Assessment of Defense Acquisition University's Information Systems Process

Objective Our overall objective was to perform a quality review, using ISO 9001:2008 Quality

Management System assessment teclmiques, of the Defense Acquisition University (DAU)

Information Technology (IT) processes. Specifically, we examined DAU's IT directives, the

Change Management process, and Information Assurance process to determine whether

established practices were effectively implemented and maintained and whether process controls

were adequate and identified organizational risks. We also determined the effectiveness of each

process to identify areas with an opportunity for improvement.

Scope and Methodology We conducted a quality review ofiT processes, based on ISO 9001 :2008 Quality Management

System, administered by the DAU IT department. Specifically, we reviewed DAU's IT

Directives 303, " Information Systems Security" and 304, "Information Systems Usage," change

management, and information assurance documentation. We intervie\ved DAU IT personnel to

learn the processes used to meet the intent ofDAU Directives 303 and 304. We compared

DAU's IT processes with the relevant criteria to identify weaknesses in DAU's system. We also

reviewed samples of change requests, e-mail logs, access control logs, and event tracking to

verify that DAU personnel were properly adhering to DAU processes.

A. Change Management DAU's change management (CM) system is currently undergoing restructuring, and new

procedures are being drafted and should be implemented in September 2012. The CM processes,

such as the recently implemented Enterprise Support System (ESS), are embedded into the

Eoterprise IT Management Process, which has two phases. The first phase focuses on the

strategic implications of the change, while the second phase includes the operational design,

review, and implementation process aligned with the Information Technology Information

Library (!TIL) framework for CM. The ESS will manage the change request process.

Change Advisory Board, Technical Review Board, and Tech Council DAU's Change Management Plan requires the existence of a Change Advisory Board (CAB) to make decisions on whether to implement changes recommended by the Technical Review Board

(TRB). The CAB is expected to begin meeting once the Enterprise IT Management process is

active and its primary focus will be on existing operations. lt will meet weekly, with minutes

being maintained. Currently there are no designated members of the CAB, but instead each role

will be filled by personnel from a business unit. It is our judgment that the CAB will have

50

smoother operations if specific representatives from each business unit are assigned specific

roles on the CAB. The TRB will be managed tlu·ough the ESS, consisting of the following

teams: NSOC- System Support, DAU Information Assurance (IA) - Technical Support, and

System Owners. DAU will have pers01mel assigned to roles within these teams to fulfill the

TRB requirements. Currently an informal process is used for CM actions. The open CM actions

are untracked and being stored in e-mail. Once the Enterprise IT Management Process is active,

this list will be tracked and maintained in a real-time manner as an official process.

Unlike the CAB, the Tech Council is a strategic body that is focused on new systems and

technologies. The Tech Council is responsible for reviewing and approving the requirements,

alternatives analysis, and business cases and conducts periodic investment reviews for proposed

systems and technologies. The Tech Council is required to meet every 60 days, although it

generally meets monthly. See the flowchart for an overview of the Tech Council process. After

a request has been made, it goes to the Enterprise Architecture (EA), where it is determined if it

is a new product or will be affecting an existing product. Requests for new products then go to

the Tech Council for review. If it gets approved and is full y funded, it moves on to the CAB and

fini shes the rest of the CM process. If the change is not funded, it is sent to the Resource

Counci l to determine if there is a way to fu nd it. If there is funding and it has been approved, it

moves on to the CAB, but if there is no funding, the change is sent back to the beginning of the

process. A change to an existing product will go straight to the CAB unless funding is required.

If funding is required to change an ex isting product, it must first go to the Resource Council , but

Tech Council approval is not required. DAU IT Investment Management Process as or 6-11-2012

High level View

CIO Managed

G'V"""~0 Ot~Rtqo~uc

TC'U..Cwr<J

,,J.w.x. J f l,ll;!n,lr(II31.X.l'N ($"''· , .. , ..,,l>P>') (N~tN f.IJNnJ .Jf·potll) E:uili..,JF'tCdl)(.l

:JITS>_...llrJ) RtJtoEA

j '- • Roes.c-JtcC' Cc.u-.c..!

EJ~!.\1'1-l f'rc.;jl,(t r .... EAR-t· • ..r-..,. _ _ CA5:y.~o to IT .&J."\.131' Js) F ~,~noj:n; Rtq>irN

• J

l ,~.il 1'1.;.).;(1

Atr•oit'danJ f~JN~fN UU r-io

~~~~~~:~<Js~ Our~ .. ll"l')et'"~ t I-- '-YH '"'" ~"'"""' rur.if'd

t'•;'l.:r•-.•~u~

1 ( u,,J>'< ru,.-...0

51

Emergency Changes In the DAU Change Management Plan, a change is defined as an emergency if "The

implementation is required to address a high risk situation in which DAU data has a high level of

exposure and there is a high likelihood of the situation being exploited." In the event of an

emergency change arises, CAB members will be notified and asked to review the viability of the

implementation of the emergency change and vote on whether to implement the change. This

vote is taken into consideration by the CAB chair, but the CAB chair has the final authority in

deciding when and if an emergency change will be implemented. The number of emergency

changes occurring is currently not being tracked.

Opportunities for Improvement We recommend that the Chief of Staff, DAU, require IT persmmel to:

I . Maintain a list of people from each business unit filling each of the CAB roles

2. Ensure changes are officially tracked as stated in the new Enterprise IT Management

Process

3. Track the number of changes that are occurring

B. Information Assurance Documentation DAU Directives 303 and 304 ensure that IA is integrated into all policies and procedures. DAU

is also required to follow DoD Instruction 8510.0 I, "DoD Information Assurance Certification

and Accreditation Process" (DIACAP). DAU has completed the IA Certification and

Accreditation (C&A) process in accordance with DIACAP. DAU has also appointed people to

the required IA roles. To meet the IA requirements, DAU IT maintains a list ofiA goals that are

all of equal importance and updated annually. DAU also maintain a list of accredited DoD information systems, which include the following: Digital Asset Management System (DAMS),

Chief Learning Offices (CLO) Dashboard, ESS, ACQDemo, and Composica. They verify

compliance of a system using several methods, which include Gold Disk and manual checks for

Security Teclmical Implementation Guide (STIG) compliance, Retina for Information Assurance

Vulnerability Management (IAVM) compliance validation, and Web Inspect for web application

validation.

Digital Asset Management System Plan of Action and Milestones (POA&M) We reviewed DAD's Plan of Action and Milestones (POA&M) for DAMS, which identified that

the "DAU boundary defense is not properly documented at the primary and COOP sites." This

was to be addressed by June 1, 2012, and from the evidence we have received, it appears it has

yet to be completed.

DIACAP Certification and Accreditation After our meeting with the DAU IT staff, we found that DAU performed the C&A at the

component level but not at the DAU network and DAU enclave boundary. We recommend that

52

DAU IT perform C&A at the network and enclave boundaries, as well as ensure that the

boundary defense documentation is put in place as soon as possible.

Sanitization As stated in DAU' s IA Implementation Guide No.2, "All DAU Components shall sanitize IT

equipment and electronic storage media prior to disposal in accordance with DoD 5200.1-R."

DAU sanitizes workstations with a DoD-compliant "wipe utility" and physical destruction of

di-ives in cases where the wipe utility is not viable. About 25 percent ofthe DAU system

inventory is sanitized a year clue to the systems being decommissioned because they reached the

end of their useful life. Workstations are also sanitized before DAU relinquishes custody ofthe

system. As required in DAU Directive 303 , DAU IT also maintains a workstation baseline

image to restore systems found to be infected with malicious logic or code. DAU IT then uses

Ghost to implement the re-imaging process.

lA Training and Incident Response DAU does not have a documented training program for IA at this time. Applicable training

items, used to create a common foundational understanding of IA, are identified in Skillport and

on the DISA VTE. A list of training completed is maintained in Skillport and on the DISA VTE

sites. There is currently documented training for the DIACAP Validator, but general IA training

documents and processes are still being drafted.

DAU's Incident Response Plan includes the steps that the Critical Incident Response Team

(CIRT) should perform when an incident occurs. In the event of an IA Incident, all Information

Assurance Officers (lAOs) are trained to perform the role of the Critical Incident Coordinator as

outlined in DAU's Incident Response Plan. A list of trained TAOs is not ctmently being

maintained. Also, there is no documentation showing that the TAOs have read, understand, and

acknowledged the DAU's lA policy and Incident Response Plan. DAU IT currently has a

limited Contingency Plan that identifies the transference of support to DAU's alternate site, and

is currently drafting a Continuity of Operations Plan.

IT Record Keeping As required by the directives, logs must be kept for access control , inbound and outbound e-mail,

changes to firewall parameters, permitted connectivity, and enabled services. We reviewed

samples ofthe access control logs, inbound and outbound e-mail logs, and a screenshot ofthe

Event Tracker, and found them to be properly maintained. Logs are also required for web sites

visited, files downloaded, time spent on the internet, and system security-related events. DAU

IT uses Solarwinds to track changes to firewall parameters, permitted connectivity, and enabled

services. MARS is used for the historical logging of these settings. Web Sense is used for web

site filtering and also maintains a list of sites visited. When used in combination with MARS,

53

DAU IT is able to see files that are downloaded and how long a c01mection is open. We

determined these logs were being properly maintained.

Opportunities for Improvement We recommend that the Chief of Staff, DAU, require IT personnel to:

I. Maintain a list of people on the CIRT

2. Maintain a list of people who are trained to act as a Critical Incident Coordinator

3. Keep signed forms from all lAOs acknowledging that they have read and understand

DAU's Incident Response Plan

4. Ensure IA training is finished being drafted

5. Ensure boundary defense is properly documented

6. Perform C&A at the DAU network level and DAU enclave boundary

Conclusion We conducted a quality review of the DAU IT system processes, based on ISO 9001:2008

Quality Management System. We found minor issues relating to personnel lists, tracking

changes, and training. Most of these issues are slated to be resolved when DAU's new IT

policies go online in September 2012. We recommend that DAU reassess the new IT system

policies and procedures a year after implementation to gauge their effectiveness.

55

Defense Acquisition University Quality Assurance Process Assessment-Information Technology Process Report ·

Opportunities for lmprovement

I. Maintain a list of people from each business tmit filling each of the Change Advisory Board (CAB) roles

• Defense Acquisition University (DA U) concurs with the suggestion and will complete'the action by September 30, 2012.

2. Ensure changes are oft1cially tracked as stated in the new Ente1vrise Information Technology (IT) Management Process

• DA U concurs with the suggestion and will complete the action by September 30, 2012.

3. Track the number of changes that are occurring • DA U concurs with suggestion and this will be captured once the Ente1prise iT

Management Process is implemented by September 30, 2012.

4. Maintain a list of people on the Critical Incident Response Team (CIRT) • DA U concurs with tlte suggestion and is already in compliance with this as the

CIRT members are identified in the DAU Incident Response Plan (version 3, dated Februmy 21, 2012).

5. Maintain a list of people who are trained to act as a Critical Incident Coordinator • DA U concurs with the suggestion and is alreac(y in compliance with this as the

CIRT members are ident~(ied in the DA U Incident Response Plan (version 3, dated Febntal)' 21, 201 2).

6. Keep signed forms from all Information Assurance Officers acknowledging that they have read and understand DAU's Incident Response Plan

• DAU concurs with this suggestion and will complete by August 31, 2012.

7. Ensure Information Assurance (lA) traiuing is finished being drafted • DA U concurs with this suggestion and the IA training plan is currently being

written by the Senior Information Assurance Officer, to be completed by October 15, 2012.

8. Ensme boundary defense is properly documented • DA U concurs with the suggestion and believes that the boundmy defense is

properly documented today as evidencedfi'om our last Cyber Command Readiness inspection in which we received an excellent score for boundmJ' defense. We believe that the discrepancy lies in the .fact that the Plan of Actions and Milestones (POA&M) that was reviewed by the Inspector General (IG) had this control marked as non-compliant; this was due to the vendor that generated the POA&};/ marking it as non-compliant without proper ver((ication. However, as a result of the IG assessment we will be creating a consolidated

Attachment

56

Network Design Guide document to further clarify our boundmy defense design, configuration and management practices, expected completion of this document is October 31, 2012.

9. Perform Certification and Accreditation at the DAU network level and DAU enclave boundary

• DA U concurs with this suggestion and this is pari of the plan for the relocation of the Fort Belvoir Data Center, expected completion date is September 30, 2013.

Management Comments

57

59

ISO 9001:2008 Quality Assurance Assessment of Defense Acquisition University Processes (Project No. D2012-DTOTAD-0004.000)

Recommendations

1. Document all the processes and procedures within the seven functional areas and reassess their validity a year after full implementation. • DAU concurs with the recommendation and will have all processes and

procedures with the seven functional areas thoroughly and properly well documented no later than September 30, 2013.

2. Review each process flowchart and standardize them across the university. • DA U concurs with the recommendation and will review each process flowchart

reviewed for standardization and consistency across the university no later than March 31, 2013.

3. Review training on internal processes and procedures and track and document that all individual users have completed the training. • DA U concurs with the recommendation and will review our training on internal

processes and procedures, and will track and document that all individual users have completed appropriate training by March 31, 2013.

Attachment

iso 9001:2008 quality assurance assessment of defense ... · pdf fileiso 9001:2008 quality ......

Documents